IP security (IPsec) is in global use for example in corporate Virtual Private Networks. It is also intended for the protection of nodes in the third generation (3G) mobile networks. Denial of Service (DOS) is a threat especially in 3G networks where availability requirements are very strict. This thesis is about identifying those threats and presenting methods for analysing IPsec implementations and their vulnerabilities so certain Denial of Service attacks. The objective of this study is to review IPsec DoS vulnerabilities, and to produce and analyse tools for this. The best entry points for DoS attacks are in IKE (Internet Key Exchange) protocol, so the scope of the study is limited so attacks against IKE. The results show that implementations differ very much from each other in robustness against chosen attacks. In some attacks the best implementations do not suffer from DoS at all, but poor implementations may even crash. Simple protections, such as hard-coded limits for memory consumption, work well against the tested DoS attacks.
展开▼
